PSD2 – Strong Customer Authentication

In February 2017, the European Banking Authority (EBA) published the final draft of the Regulatory Technical Standards on Strong Customer Authentication and Common and Secure Communication under the revised Payment Services Directive (PSD2).

Maybe not the most selling title, but it is nevertheless important that your services use a security solution that meets the requirements. Let us tell you how the Keypasco Solution complies, and exceeds these new requirements for Strong Customer Authentication.

Why is Strong Customer Authentication needed?PSD2 regulates how financial institutes and third-party services receive customer data information. The revised directive will allow new players access to consumers’ payment accounts, to make payments on their behalf, and to provide them an overview of their various payment accounts. The institutions holding the payment account of the consumer will have to provide these new players access to the account. As a natural consequence, the customer authentication requirements are strengthened.

”The implications will be severe for those companies that will not comply with the new EU- regulations in terms of PSD2. The direct implications will be sanctions and fines against those companies.”Ria Vadpa / EU-commission in Brussels

Strong Customer Authentication requirementsIf you are a Payment Service Provider you are, according to PSD2, required to authenticate a user when he or she; accesses an online payment account, initiates an electronic payment transaction or carries out an action through a remote channel that may imply a risk of payment fraud.

Transaction protection

It is unfortunately not uncommon with attacks where the amount, and payee have been altered, and then unwittingly confirmed by the user. For example, on mobile devices, this type of malicious attacks often use overlay windows. To prevent this kind of attacks, it is stated that the payment transaction data needs to be protected throughout all the phases of authentication.

"...payment service providers shall adopt security measures which ensure the confidentiality, authenticity and integrity…through all phases of authentication…”PSD2, article 2

The Keypasco Solution:

Keypasco's mobile SDK can be used either as a specific authentication app, using a two-app interface for communicating with the payment app, or be included directly in the payment application. In any case, out-of-band communication through a secure and double encrypted channel is used for displaying the payment information.

Authentication elementsThe basic definition of Strong Customer Authentication in PSD2 states that authentication has to be based on the use of two or more possible authentication elements. These elements are knowledge, possession and inherence often explained as something only the user knows, has and is. These elements must be independent from each other, and their usage must generate a one-time authentication code.

In the case of a payment transaction, the authentication code must be dynamically linked to the amount and the payee. If the payment amount or payee changes, the authentication code should change too.

The Keypasco Solution:

The Keypasco Solution utilizes all of these three elements. The basic factors include the PIN code, device ID, PIN code and / or the user’s fingerprint.

In addition to this, the Keypasco Solution has the opportunity to further enhance security by adding the user’s geolocation, history, and a proximity device as additional authentication factors.

The possession element requirementsRequirements related to the possession element are particularly relevant for mobile devices, such as smartphones and tablets. It is stated that possession elements "shall be subject to measures to prevent replication of the elements".

Mobile applications are easy to clone; in fact, entire mobile devices can be cloned without even having physical access to the device. A countermeasure can be to take device properties into account when generating an OTP or encrypting data used by the app.

The Keypasco Solution:

The foundation of the Keypasco solution, the patented six-level device ID uses besides device properties, five other layers to create a robust device ID. Every clone will be detected by us.

What about encrypting data then? Keypasco takes this security level one step further. The private key of the asymmetric key pair used for authentication code creation and digital signatures isn't stored on the mobile device. Where competitors store the entire private key somewhere on the device, Keypasco splits the private key into two parts; one part is stored on the server, and the other part on the mobile device. This second part is encrypted with the user's PIN code or some biometric property.

Independence of authentication elementsThe PSD2 requirements regarding the independence of various authentication elements are especially important in the context of mobile devices.

If any elements of strong customer authentication or the authentication code is used through a multi-purpose device, like a mobile phone or tablet, the payment service providers shall adopt security measures to mitigate the risk resulting from the device being compromised.

For this purposes, the mitigating measures shall include, but not be limited to;

the use of separated secure execution environments through the software installed inside the multi-purpose device

This states that secure execution environments can be used. Mobile operating systems like Android and iOS meet this requirement via their sandboxing techniques. However, these mechanisms are only functioning correctly as long as the device is not jailbroken or rooted.

you must have mechanisms to ensure that the software or device has not been altered by the payer or by a third-party or have mechanisms to mitigate the consequences of such alteration where this has taken place.

This means that you as a Payment Service Providers must use security controls to detect, prevent and respond to the alteration of mobile apps and devices.

The so called "runtime application protection techniques" can accomplish this level of control, and also aid in detecting whether the device is run simulated and used through an emulator.

The Keypasco Solution:

The execution environment protection of Keypasco's mobile SDK not only detects whether or not a device has been rooted or jailbroken, it also provides continuous runtime monitoring that detects whether a debugger has been attached to the application - i.e. the possibility that sensitive data is retrieved from the memory as the application runs.

Moreover, Keypasco's SDK has for many years been able to detect every single mobile device emulator software in the world. This is a vital part to the security of any authentication software executing on mobile devices. Through internal and external testing facilities, we continuously update our simulator detection and execution environment protection.

Transaction risk analysisPSD2 mandate the usage of transaction risk analysis based on such as, known fraud scenarios, signs of malware infection, and payment amount. Exemptions from risk analysis and Strong Customer Authentication are mentioned for payments that are rated as low-risk purchases by the payment service provider.

The transaction risk assessment should take payment patterns, location and time into account. Even though the maximum payment amount that can be exempted from Strong Customer Authentication is 500 euros, there is a lot of uncertainty and ambiguity regarding what a low-risk amount is. For instance, one factor that weighs heavily on which amount is considered to be a low-risk amount is the fraud rate of the payment service provider.

The Keypasco Solution:

The cost of the Keypasco Solution is by default based on the number of end-users, not the number of transactions. Therefore, a payment service provider using the Keypasco Solution can provide Strong Customer Authentication to every single transaction, regardless of the payment amount, for the same cost.

A core feature of the Keypasco solution is the device based risk engine. Traditional risk engines use probabilistic algorithms that calculate and estimate decisions based on times, transaction type etc. This leads to a certain percentage of false positives that cause inconvenience for all parties involved. The Keypasco's risk engine makes decisions directly based on device data containing device ID, location, time and behavioural history.

In this way, a device that has been used for fraudulent activities for one payment service provider becomes immediately blacklisted and denied access when it appears elsewhere as well. This can provide a single service provider, using the Keypasco Solution, protection and information that greatly exceed what can be obtained by collecting data exclusively from their own users' devices.

What about SMS OTP and other authentication solutions?

There are several other authentication solutions, which could meet the PSD2 requirements of Strong Customer Authentication. Here are some of them, along with the reason why the Keypasco solution does not utilize these:

OTP – very insecure, vulnerable to attacks and brings additional cost for the payment service provider.

The micro proximity feature adds an additional level of security by appointing a dedicated micro proximity device. If this micro proximity device is not in immediate proximity to the Vakten for Desktop client the user can’t login or sign any transactions.

For an example: if device 1 is used to login to an account then device 2 (which is the micro proximity device) has to be within centimetres of device 1 to be logged in.

Our risk management analysis feature provides a risk score for each attempt done by the end user. The risk score and it´s value is determent by indicators such as correct device, proximity of additional secure devices, Out Of Band verifications, geographical locations/geofencing, previous fraud and fraud trends etc.

This analysis is improved continuously and is an active part of the service to quickly mitigate new threats.

The Keypasco PKI Sign feature is a dynamic feature that offers ICPs full support of PKI in a portable mobile device. The feature is based upon the core concepts:

a end users credentials, only known by the correct user,

a transaction can only be approved from the correct device,

a transaction can only be approved from an approved location.

We can guarantee by utilizing the PKI Sign that the signature is done by the correct user. Keypasco has invented (and patented) a new innovative way of using a users mobile device as a secure soft carrier of private keys.

An end users private key is divided into three parts: a client part, a server part, and a secret (PIN). The private keys can only be put together and sign a transaction if the end user has all three parts. The correct user is the only one who knows the secret to achieve the client part, and the server part is only achieved when the correct device and location has identified itself.

The feature does not require a Trusted Platform or a Secure Element, and Keypasco can provide the generating of keys, and verify the signatures if no established PKI CA is provided by the Internet Content Provider through an optional plugin.

Keypasco offers Internet Content Providers a way to provide user a option to sign transactions via the Desktop Client. The Vakten for Desktop client presents a window with the transaction details and asks the user to approve or deny.

This signature option is presented on the same Desktop device that initiated the attempt, but all the information is secured by the 2-channel structure.

The Keypasco product Browser Vakten is an easy and quickly deployable product tailored as an entry level product on it’s own, but comes to it’s full strength in combination with the Keypasco client Smartphone Vakten.

It doesn’t require any installation procedure on client devices; it is instead an integrated part of the web layer of the Internet Content Provider’s web site by an embedded JavaScript.

The Vakten client is installed in the end users browser to identity the device and location. This Vakten has one functionality:

Phishing: Keypasco mitigates phishing by linking the user with a geographical location and the device authentication. A user’s username and password will not work from a wrong device or location.

Man in the Middle & Man in the Browser: Man in the Middle (MitM) and Man in the Browser (MitB) attacks are mitigated by Keypasco’s 2-channel structure and the Out of band secure notifications.

Malicious Virus Control (Viruses, Trojans, etc): Viruses, Trojans, and other infections can control or replicate an end user’s device. Keypasco mitigates these threats by offering Out of Band authentication, which enables a user to regain control of devices and accounts.

Theft/Robbery: In addition to virtual threats, physical theft of a device can compromise a user’s security. With Keypasco’s proximity feature, a user’s account is safe even if a device is stolen.